Twenty different types of sensitive personal data pertaining to the survivors was accidentally shared by FEMA, leaving those individuals at increased risk of fraud and identity theft, says the Office of Inspector General.

The slip up was detailed in a Department of Homeland Security OIG report released on March 15. FEMA's Joint Assessment Team and Office of the Chief Information Officer are now auditing the network of the contractor to see if the data may have been further exposed. The name of the contractor has not been publicly released; it was redacted from the OIG's report.

Complicating FEMA's efforts to find out what happened is the fact that the contractor only retained network logs for 30 days. And FEMA's cybersecurity experts have already found 11 security vulnerabilities in the contractor's network, of which only four have been remediated, meaning that would-be hackers might have been able to easily access the network.

"According to FEMA, these assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days," the OIG says.

The sensitive data has been erased from the contractor's system, but the review of the contractor's network is not expected to be conclude until June 30, 2020.

FEMA's data exposure is just the latest in a series of incidents involving U.S. government agencies exposing or losing control of individuals' personal details. In 2015, hackers stole as many as 14 million personal records for current and former federal employees from the Office of Personnel Management, including 6 million biometric fingerprints (see Stolen OPM Fingerprints: What's the Risk?).

Lawmakers have called on government officials to come clean on how the latest data spillage happened. "FEMA Acting Administrator Gaynor must testify before Congress. We need answers about how this happened," Sen. Kamala Harris of California, who's a Democratic presidential candidate for 2020, tweeted on Sunday.

OIG: FEMA Didn't Follow Guidelines

For people who survived hurricanes and wildfires, the data exposure comes as a second hit. Victims of such disasters, including hurricanes Harvey, Irma, Maria and the California wildfires in 2017, provided their data to qualify for short-term emergency shelter in hotels.

FEMA is allowed to share data such as names, birth dates, Social Security numbers - but only the last four digits - and other administrative data. But it also passed along street addresses, bank names and account numbers.

The OIG detailed six types of data that FEMA should not have released to a contractor. (Source: OIG)

"The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [redacted contractor]," the OIG says in its report. "Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud."

FEMA must comply with federal law and also internal regulations that outline how it can share data. The agency is bound by the federal Privacy Act of 1974, which restricts the sharing of personal data to that which is "legally authorized and necessary," the OIG says.

The act covers "personally identifiable information" and "sensitive personally identifiable information," which a subset of PII covering financial data or data that could embarrass or otherwise harm someone.

The OIG's assessment.

FEMA is part of DHS, which has a "Handbook for Safeguarding Sensitive PII" that was published in December 2017, the OIG says. There's also a 2015 "Performance Work Statement" that describes the 13 data elements FEMA can send in order to verify survivors' eligibility for temporary shelter.

In this mishap, FEMA confirmed that the contractor received the data but not what types of data FEMA itself had been sending, the OIG says. Also, the contractor did not alert FEMA to the fact that it was sending it data that it should not have been sending.

"Although not required to do so, had [redacted contractor] officials notified FEMA officials that the agency was providing unnecessary PII and SPII for eligible survivors, FEMA may have been able to remedy this situation earlier and avoid additional privacy incidents," the OIG says.

FEMA unlawfully disclosed the private information of 2.3 million disaster survivors in California and across the country. I'll say it again: FEMA Acting Administrator Gaynor must testify before Congress. We need answers about how this happened.

FEMA Agrees to New Controls

Now, FEMA has agreed to follow two recommendations made by the OIG to help prevent this type of mishap from recurring.

The assistant administrator for FEMA's Recovery Directorate will "implement controls to ensure that the agency only sends required data elements of registered disaster survivors, such as [redacted contractor]," the OIG says. Also, the assistant administrator will ensure that the SPII is properly destroyed.

The agency will also continue to assess the contractor's systems to ensure it "maintains a security posture in accordance with federal standards on handling PII/SPII, as well as the FEMA Records Retention Schedule covering this information," the OIG says.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.